A China-linked APT has built an operational relay boxes (ORB) network of more than 1,000 backdoored nodes for espionage purposes, SecurityScorecard reports.
The prolonged espionage infrastructure campaign, dubbed LapDogs (PDF), has been targeting IT, media, networking, real estate, and other industries in the US and Southeast Asian countries, including Japan, South Korea, Hong Kong, and Taiwan.
As part of the campaign, the threat actor has been infecting small office/home office (SOHO) routers with a custom backdoor named ShortLeash, which provides stealthy, long-term access to the compromised devices.
Per each installation, the backdoor can generate self-signed TLS certificates posing as “LAPD” (an apparent attempt to spoof the Los Angeles Police Department).
Most of the infected devices are Ruckus Wireless access points, followed by Buffalo Technology AirStation wireless routers. Running old and unpatched SSH services, they were found vulnerable to CVE-2015-1548 and CVE-2017-17663.
The LapDogs campaign likely started in September 2023, based on the date the first identified certificate was issued, and has been gradually growing in methodical and small-scale operations that would infect up to 60 devices per run.
LapDogs, SecurityScorecard says, appears linked to PolarEdge, an ORB network of more than 2,000 infected routers and other IoT devices that has been active since at least 2023. Despite overlaps and similarities, the two appear to be distinct operations.
“ORBs use compromised devices to maintain stealthy, long-term infrastructure—not to launch noisy, disruptive attacks. They function as flexible infrastructure and can provide operational cover for malicious activity. The compromised devices in the network continue functioning as usual during campaigns, which can make detection and attribution elusive,” the security firm notes.
Seemingly focused on certain countries and geographies, the campaign was attributed to UAT-5918, a Chinese APT that Cisco Talos linked earlier this year to Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit activities.
In numerous intrusions, the threat actor was seen exploiting known vulnerabilities for initial access, harvesting credentials to elevate its privileges and obtain additional access venues, and using web shells and open source tools to perform post-compromise operations and establish persistence.
Related: Exploitation Long Known for Most of CISA’s Latest KEV Additions
Related: Chinese Espionage Crews Circle SentinelOne in Year-Long Reconnaissance Campaign
Related: Russian Espionage Group Using Ransomware in Attacks
Related: 11 State-Sponsored APTs Exploiting LNK Files for Espionage, Data Theft
